leandrof/linux
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
5353ed8dee
linux/drivers
History
Colin Ian King 5353ed8dee devpts: fix null pointer dereference on failed memory allocation 
An ENOMEM when creating a pair tty in tty_ldisc_setup causes a null
pointer dereference in devpts_kill_index because tty->link->driver_data
is NULL.  The oops was triggered with the pty stressor in stress-ng when
in a low memory condition.

tty_init_dev tries to clean up a tty_ldisc_setup ENOMEM error by calling
release_tty, however, this ultimately tries to clean up the NULL pair'd
tty in pty_unix98_remove, triggering the Oops.

Add check to pty_unix98_remove to only clean up fsi if it is not NULL.

Ooops:

[   23.020961] Oops: 0000 [#1] SMP
[   23.020976] Modules linked in: ppdev snd_hda_codec_generic snd_hda_intel snd_hda_codec parport_pc snd_hda_core snd_hwdep parport snd_pcm input_leds joydev snd_timer serio_raw snd soundcore i2c_piix4 mac_hid ib_iser rdma_cm iw_cm ib_cm ib_core configfs iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi autofs4 btrfs raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel qxl aes_x86_64 ttm lrw gf128mul glue_helper ablk_helper drm_kms_helper cryptd syscopyarea sysfillrect psmouse sysimgblt floppy fb_sys_fops drm pata_acpi jitterentropy_rng drbg ansi_cprng
[   23.020978] CPU: 0 PID: 1452 Comm: stress-ng-pty Not tainted 4.7.0-rc4+ #2
[   23.020978] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[   23.020979] task: ffff88007ba30000 ti: ffff880078ea8000 task.ti: ffff880078ea8000
[   23.020981] RIP: 0010:[<ffffffff813f11ff>]  [<ffffffff813f11ff>] ida_remove+0x1f/0x120
[   23.020981] RSP: 0018:ffff880078eabb60  EFLAGS: 00010a03
[   23.020982] RAX: 4444444444444567 RBX: 0000000000000000 RCX: 000000000000001f
[   23.020982] RDX: 000000000000014c RSI: 000000000000026f RDI: 0000000000000000
[   23.020982] RBP: ffff880078eabb70 R08: 0000000000000004 R09: 0000000000000036
[   23.020983] R10: 000000000000026f R11: 0000000000000000 R12: 000000000000026f
[   23.020983] R13: 000000000000026f R14: ffff88007c944b40 R15: 000000000000026f
[   23.020984] FS:  00007f9a2f3cc700(0000) GS:ffff88007fc00000(0000) knlGS:0000000000000000
[   23.020984] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   23.020985] CR2: 0000000000000010 CR3: 000000006c81b000 CR4: 00000000001406f0
[   23.020988] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   23.020988] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   23.020988] Stack:
[   23.020989]  0000000000000000 000000000000026f ffff880078eabb90 ffffffff812a5a99
[   23.020990]  0000000000000000 00000000fffffff4 ffff880078eabba8 ffffffff814f9cbe
[   23.020991]  ffff88007965c800 ffff880078eabbc8 ffffffff814eef43 fffffffffffffff4
[   23.020991] Call Trace:
[   23.021000]  [<ffffffff812a5a99>] devpts_kill_index+0x29/0x50
[   23.021002]  [<ffffffff814f9cbe>] pty_unix98_remove+0x2e/0x50
[   23.021006]  [<ffffffff814eef43>] release_tty+0xb3/0x1b0
[   23.021007]  [<ffffffff814f18d4>] tty_init_dev+0xd4/0x1c0
[   23.021011]  [<ffffffff814f9fae>] ptmx_open+0xae/0x190
[   23.021013]  [<ffffffff812254ef>] chrdev_open+0xbf/0x1b0
[   23.021015]  [<ffffffff8121d973>] do_dentry_open+0x203/0x310
[   23.021016]  [<ffffffff81225430>] ? cdev_put+0x30/0x30
[   23.021017]  [<ffffffff8121ee44>] vfs_open+0x54/0x80
[   23.021018]  [<ffffffff8122b8fc>] ? may_open+0x8c/0x100
[   23.021019]  [<ffffffff8122f26b>] path_openat+0x2eb/0x1440
[   23.021020]  [<ffffffff81230534>] ? putname+0x54/0x60
[   23.021022]  [<ffffffff814f6f97>] ? n_tty_ioctl_helper+0x27/0x100
[   23.021023]  [<ffffffff81231651>] do_filp_open+0x91/0x100
[   23.021024]  [<ffffffff81230596>] ? getname_flags+0x56/0x1f0
[   23.021026]  [<ffffffff8123fc66>] ? __alloc_fd+0x46/0x190
[   23.021027]  [<ffffffff8121f1e4>] do_sys_open+0x124/0x210
[   23.021028]  [<ffffffff8121f2ee>] SyS_open+0x1e/0x20
[   23.021035]  [<ffffffff81845576>] entry_SYSCALL_64_fastpath+0x1e/0xa8
[   23.021044] Code: 63 28 45 31 e4 eb dd 0f 1f 44 00 00 55 4c 63 d6 48 ba 89 88 88 88 88 88 88 88 4c 89 d0 b9 1f 00 00 00 48 f7 e2 48 89 e5 41 54 53 <8b> 47 10 48 89 fb 8d 3c c5 00 00 00 00 48 c1 ea 09 b8 01 00 00
[   23.021045] RIP  [<ffffffff813f11ff>] ida_remove+0x1f/0x120
[   23.021045]  RSP <ffff880078eabb60>
[   23.021046] CR2: 0000000000000010

Signed-off-by: Colin Ian King <colin.king@canonical.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2016-06-26 11:39:00 -07:00
..
accessibility
acpi Merge branch 'acpica-fixes' 2016-06-18 01:55:55 +02:00
amba ARM: 8566/1: drivers: amba: properly handle devices with power domains 2016-05-05 19:00:40 +01:00
android
ata remove lots of IS_ERR_VALUE abuses 2016-05-27 15:26:11 -07:00
atm atm: iphase: off by one in rx_pkt() 2016-05-31 11:52:59 -07:00
auxdisplay
base Driver core fixes for 4.7-rc4 2016-06-18 06:04:01 -10:00
bcma MTD updates for v4.7: 2016-05-24 11:00:20 -07:00
block Merge branch 'stable/for-jens-4.7' of git://git.kernel.org/pub/scm/linux/kernel/git/konrad/xen into for-linus 2016-06-09 09:49:55 -06:00
bluetooth Bluetooth: Add USB ID 13D3:3487 to ath3k 2016-05-13 16:54:59 +02:00
bus Merge branch 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus 2016-05-19 10:02:26 -07:00
cdrom
char ipmi: Remove smi_msg from waiting_rcv_msgs list before handle_one_recv_msg() 2016-06-13 08:56:28 -05:00
clk clk: nxp: Select MFD_SYSCON for creg driver 2016-06-01 15:14:06 -07:00
clocksource Small release overall. 2016-05-19 11:27:09 -07:00
connector
cpufreq cpufreq: intel_pstate: Adjust _PSS[0] freqeuency if needed 2016-06-15 01:56:47 +02:00
cpuidle cpuidle: Fix cpuidle_state_is_coupled() argument in cpuidle_enter() 2016-05-18 02:48:37 +02:00
crypto Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 2016-05-30 15:20:18 -07:00
dax /dev/dax, core: file operations and dax-mmap 2016-05-20 22:02:55 -07:00
dca
devfreq
dio
dma dmaengine: mv_xor: Fix incorrect offset in dma_map_page() 2016-06-07 12:44:23 +05:30
dma-buf dma-buf: use vma_pages() 2016-05-31 22:17:05 +05:30
edac EDAC, sb_edac: Readd accidentally dropped Broadwell-D support 2016-06-03 17:28:21 +02:00
eisa
extcon extcon: palmas: Fix boot up state of VBUS when using GPIO detection 2016-06-15 17:17:22 +09:00
firewire
firmware efi/arm: Fix the format of EFI debug messages 2016-06-03 09:57:36 +02:00
fmc
fpga
gpio gpio: Allow PC/104 devices on X86_64 2016-06-17 20:21:12 -07:00
gpu Merge tag 'drm-fixes-for-v4.7-rc4' of git://people.freedesktop.org/~airlied/linux 2016-06-15 19:54:52 -10:00
hid HID: multitouch: Add MT_QUIRK_NOT_SEEN_MEANS_UP to Surface Pro 3 2016-06-01 16:03:28 +02:00
hsi HSI: omap-ssi: move omap_ssi_port_update_fclk 2016-05-09 22:45:18 +02:00
hv
hwmon hwmon: (lm90) use proper type for update_interval 2016-06-07 20:13:05 -07:00
hwspinlock drivers/hwspinlock: use correct radix tree API 2016-05-20 17:58:30 -07:00
hwtracing coresight: Handle build path error 2016-06-16 00:13:06 -07:00
i2c i2c: mux: reg: Provide of_match_table 2016-06-09 22:38:16 +02:00
ide
idle
iio Staging fixes for 4.7-rc4 2016-06-18 06:05:28 -10:00
infiniband IB/IPoIB: Don't update neigh validity for unresolved entries 2016-06-07 10:49:48 -04:00
input Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input 2016-05-27 19:14:35 -07:00
iommu iommu/vt-d: Enable QI on all IOMMUs before setting root entry 2016-06-17 11:29:48 +02:00
ipack
irqchip irqchip/irq-pic32-evic: Fix bug with external interrupts. 2016-06-02 18:03:50 +01:00
isdn TTY and Serial driver update for 4.7-rc1 2016-05-20 20:57:27 -07:00
leds leds: handle suspend/resume in heartbeat trigger 2016-06-08 11:47:06 +02:00
lguest
lightnvm lightnvm: reserved space calculation incorrect 2016-05-06 12:51:10 -06:00
macintosh
mailbox mailbox: Fix devm_ioremap_resource error detection code 2016-05-08 22:44:46 +05:30
mcb mcb: Acquire reference to carrier module in core 2016-06-13 18:49:30 -07:00
md Merge branch 'for-linus' of git://git.kernel.dk/linux-block 2016-05-27 14:28:09 -07:00
media Update my main e-mails at the Kernel tree 2016-06-15 15:35:37 -10:00
memory memory: omap-gpmc: Fix omap gpmc EXTRADELAY timing 2016-06-16 11:43:48 +03:00
memstick drivers/memstick/core/mspro_block: use kmemdup 2016-05-23 17:04:14 -07:00
message SCSI misc on 20160517 2016-05-18 16:38:59 -07:00
mfd remove lots of IS_ERR_VALUE abuses 2016-05-27 15:26:11 -07:00
misc mei: don't use wake_up_interruptible for wr_ctrl 2016-06-10 22:14:24 -07:00
mmc mmc: sunxi: Re-enable eMMC HS-DDR modes on Allwinner A80 2016-06-02 10:40:20 +02:00
mtd ubi: Don't bypass ->getattr() 2016-06-14 10:51:42 +02:00
net vmxnet3: segCnt can be 1 for LRO packets 2016-06-10 00:15:11 -07:00
nfc NFC: pn533: handle interrupted commands in pn533_recv_frame 2016-05-10 00:01:47 +02:00
ntb
nubus
nvdimm DAX error handling for 4.7 2016-05-26 19:34:26 -07:00
nvme NVMe: Only release requested regions 2016-06-09 14:28:28 -06:00
nvmem remove lots of IS_ERR_VALUE abuses 2016-05-27 15:26:11 -07:00
of drivers/of: Fix depth for sub-tree blob in unflatten_dt_nodes() 2016-06-09 14:36:34 -05:00
oprofile
parisc
parport
pci Char / Misc driver update for 4.7-rc1 2016-05-20 21:20:31 -07:00
pcmcia
perf arm: pmu: Fix non-devicetree probing 2016-06-15 09:51:35 +01:00
phy phy: for 4.7-rc 2016-06-10 23:06:21 -07:00
pinctrl pinctrl: mediatek: fix dual-edge code defect 2016-05-31 10:13:45 +02:00
platform platform/x86: Drop duplicate dependencies on X86 2016-06-08 13:21:37 -07:00
pnp driver core update for 4.7-rc1 2016-05-20 21:26:15 -07:00
power power supply and reset changes for the v4.7 series 2016-05-20 14:06:21 -07:00
powercap Power management material for v4.7-rc1 2016-05-16 19:17:22 -07:00
pps
ps3
ptp ptp: oops in ptp_ioctl() 2016-05-29 22:32:27 -07:00
pwm pwm: atmel-hlcdc: Fix default PWM polarity 2016-06-14 10:51:45 +02:00
rapidio rapidio/mport_cdev: fix uapi type definitions 2016-05-05 17:38:53 -07:00
ras
regulator Merge remote-tracking branches 'regulator/fix/qcom-smd' and 'regulator/fix/tps51632' into regulator-linus 2016-06-13 16:51:57 +01:00
remoteproc remoteproc: Add additional crash reasons 2016-05-12 15:50:19 -07:00
reset
rpmsg rpmsg: add THIS_MODULE to rpmsg_driver in rpmsg core 2016-05-06 11:08:58 -07:00
rtc rtc: tps6586x: rename so module can be autoloaded 2016-05-21 17:07:17 +02:00
s390 DAX error handling for 4.7 2016-05-26 19:34:26 -07:00
sbus openprom: fix warning 2016-05-20 18:33:37 -07:00
scsi Merge remote-tracking branch 'mkp-scsi/4.7/scsi-fixes' into fixes 2016-06-04 09:53:29 -04:00
sfi
sh
sn
soc soc: mtk-pmic-wrap: avoid integer overflow warning 2016-05-19 15:20:24 +02:00
spi sound updates #2 for 4.7-rc1 2016-05-28 12:23:12 -07:00
spmi
ssb
staging Revert "Staging: rtl8188eu: rtw_efuse: Use sizeof type *pointer instead of sizeof type." 2016-06-17 11:21:45 -07:00
target Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending 2016-05-28 12:04:17 -07:00
tc
thermal Merge branch 'for-rc' of git://git.kernel.org/pub/scm/linux/kernel/git/rzhang/linux 2016-06-12 06:30:39 -07:00
thunderbolt
tty devpts: fix null pointer dereference on failed memory allocation 2016-06-26 11:39:00 -07:00
uio
usb usbip: rate limit get_frame_number message 2016-06-17 18:00:46 -07:00
uwb
vfio vfio/pci: Allow VPD short read 2016-05-31 21:25:52 -06:00
vhost target: make close_session optional 2016-05-10 01:19:26 -07:00
video OMAPDSS: HDMI5: Change DDC timings 2016-05-31 08:20:43 +03:00
virt
virtio virtio_balloon: fix PFN format for virtio-1 2016-05-22 19:44:13 +03:00
vlynq
vme
w1
watchdog watchdog: ebc-c384_wdt: Allow build for X86_64 2016-06-17 20:21:12 -07:00
xen Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending 2016-05-28 12:04:17 -07:00
zorro
Kconfig libnvdimm for 4.7 2016-05-23 11:18:01 -07:00
Makefile /dev/dax, pmem: direct access to persistent memory 2016-05-20 22:02:53 -07:00